Rootkits: What's a newbie to know?

Printable View

April 23rd, 2006, 05:20 PM
invalidant

Rootkits: What's a newbie to know?

Can anyone recommend some rootkit info/detectors to use for someone that isn't all that computer security literate? So far I've been using Rootkit Revealer and RKDetector. But, as I've read, how trustworthy are these programs on systems that may have already been compromised? I've posted RKR logs to their corresponding forums and they said I was fine. With RKD, however, I keep getting results on my System Volume Info folders, namely in restore. Regardless, I'm reinstalling my OS (XP).

I keep reading about rootkits being the next big thing in computer security and I just want to be able to protect myself accordingly since I've made an enemy of sorts in the past few months with someone a lot more computer literate, especially in computer security, than me.
April 23rd, 2006, 05:28 PM
ByTeWrangler

Greeting's

Here are some source's of information :

1. http://research.microsoft.com/rootkit/

2. www.rootkit.com

3. http://www.amazon.com/gp/product/032...20749?n=283155 (its a link to a nice book)

Finally you may try GOOGLE. (I got the results from there only and from systeminternals.com)

You must understand that to install a rootkit your computer's security will be compromised, hece what I want to say is you must start from basics like firewall, anti-virus, local-user policy, deleting or disabling un-needed service's etc. You shouldnt worry much about rootkit but you should worry about other security aspects.
April 23rd, 2006, 05:28 PM
Falcon21

F-Secure BlackLight
RootKit Hook Analyzer
April 23rd, 2006, 08:33 PM
brokencrow

I've used Rootkitrevealer quite a bit. It'll generate a lot of false positives. I ran it on my old NT webserver and EVERYTHING in the Apache folder came up positive. That was rather an exception. Better be ready to google any files it finds.

Don't know about the others. Falcon, thanks for the link to RootKit Hook Analyzer.
April 25th, 2006, 10:56 PM
stlivingston

SysInternals is a great place to start:

http://www.sysinternals.com/Utilitie...tRevealer.html

There are several referenced sites at the bottom that this site is based on.
April 26th, 2006, 08:42 PM
ric-o

Re: Rootkits: What's a newbie to know?

Quote:

Originally posted here by invalidant
I keep reading about rootkits being the next big thing in computer security and I just want to be able to protect myself accordingly since I've made an enemy of sorts in the past few months with someone a lot more computer literate, especially in computer security, than me.

Just make sure they dont have physical access to your PC...if they do there's very little you can do to keep them from planting something on there.

Otherwise just make sure you practice the basics (assuming you are running Windows)...

* Updated anti-virus installed
* Updated anti-spyware apps installed (recommend more than 1)
* Personall firewall installed
* Surf Internet and read email while logged in as a non-administrator user
* Set web browser to block pop-ups and not run Java or Javascript
* Dont click links in emails

This should help keep you safe. Remember though: no physical access for this person!
April 28th, 2006, 10:38 PM
wheaty_bytes

How is chkrootkit as a rootkit detector?
April 29th, 2006, 12:27 AM
nihil

wheaty_bytes

AFAIK chkrootkit is for *nix and the OP is using Windows XP?

All I would suggest is that for something as sneaky as a rootkit you should certainly run your tests/scans in safe mode and I would personally prefer to run them from a live CD (or recovery CD) with trusted files on it, rather than those in the installed operating system that might have been already compromised by the rootkit.

Just my £0.02